[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: TLS Support in Busybox syslogd
From: Denys Vlasenko <vda.linux () googlemail ! com>
Date: 2021-03-16 19:40:29
Message-ID: CAK1hOcOoxE5HFfP5oRY1Kb0uWSUM8JNQDaL+dsUz6tNurPZJNw () mail ! gmail ! com
[Download RAW message or body]
On Sat, Mar 13, 2021 at 6:53 PM Mike <6502cpu@gmail.com> wrote:
>
> No offense intended, but are you serious? The code bloat from adding tls support \
> would completely invalidate the whole purpose of using busybox in the first place.
We do have TLS code in bbox (as otherwise wget would be nearly useless
with today's prevalence of https:// URLs). Sizes:
$ size -t networking/tls*.o
text data bss dec hex filename
5255 0 0 5255 1487 networking/tls.o
2158 0 0 2158 86e networking/tls_aes.o
322 0 0 322 142 networking/tls_aesgcm.o
1470 0 0 1470 5be networking/tls_fe.o
4753 0 0 4753 1291 networking/tls_pstm.o
440 0 0 440 1b8
networking/tls_pstm_montgomery_reduce.o
451 0 0 451 1c3
networking/tls_pstm_mul_comba.o
479 0 0 479 1df
networking/tls_pstm_sqr_comba.o
685 0 0 685 2ad networking/tls_rsa.o
16013 0 0 16013 3e8d (TOTALS)
However, nobody yet bothered to adapt this code for DTLS, i.e.
for datagram sockets. (I did not even read DTLS RFCs yet...)
Another missing piece is certificate validation. IOW:
bbox can encrypt/decrypt traffic, but it can't confirm that
when you download from say "kernel.org", it really is kernel.org,
not an impostor. Adding this would be tricky, as root certificate
database is not something easily embeddable :)
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic